How alleged crooks used ATM skimmers to compromise thousands of accounts

Feds arrest leaders of ring that targeted $3 million stored in bank accounts.

Federal authorities have charged two men suspected of running an international operation that used electronic devices planted at automatic teller machine locations to compromise more than 6,000 bank accounts.

The operation—which targeted Capital One, J. P. Morgan Chase, and other banks—netted, or attempted to net, about $3 million according to an indictment filed in Manhattan federal court. It allegedly worked by obtaining payment card readers from Hungary and other countries and installing them on top of card readers already located on ATMs and doors to ATM vestibules. The fraudulent readers were equipped with hardware that recorded the information encoded onto a card's magnetic stripe each time it was inserted. A hidden pinhole camera with a view of the ATM keypad then captured the corresponding personal identification number.

Antonio Gabor and Simion Tudor Pintillie allegedly led a gang of at least nine other people who regularly planted the skimming devices in the Manhattan, Chicago, and Milwaukee metropolitan areas, prosecutors said. They would later revisit the ATM to retrieve the information stored on the skimming devices and cameras. Gang members would then encode the stolen data onto blank payment cards and use the corresponding PINs to make fraudulent purchases or withdrawals.

Gabor and Pintillie allegedly maintained "stash locations" to store the tools of their illegal trade. One self storage facility in Queens, New York, contained computer equipment storing data for about 6,100 compromised accounts and hundreds of hours of video footage depicting bank customers inputting their PINs into ATM keypads. The locker also contained more than 1,000 plastic cards with magnetic stripes that were encoded with stolen account data, as well as components for fraudulent card readers and hidden pinhole cameras.

The pair has been in federal custody since they were arrested in Skokie, Illinois in December. Pintillie is scheduled to be arraigned next week. A hearing for Gabor hasn't yet been scheduled. They were charged with one count each of conspiracy to commit bank fraud, conspiracy to commit access device fraud, and aggravated identity theft. If convicted on all charges, they face a maximum of almost 40 years in prison. Prosecutors have also begun proceedings to seize up to $3 million worth of property from the men.

The dark art of ATM skimming has been around for more than a decade, and advances in the equipment crooks use to ply their trade suggest it's not likely to go away any time soon. Indeed, much of the gear is so miniaturized and authentic-looking that it's next to impossible for a casual ATM user to spot. Security site KrebsOnSecurity has images of devices used in real ATM skimming scams here and here.

This is why I'm stupidly paranoid whenever I go to an ATM. I'm literally pulling on all the plastics around the card slot. inspecting the area above and around the keypad for cameras, inspecting any flier holders that may be within proximity of the panel for electronics. More then a few times I've pissed off a few people behind me, but frankly I couldn't give a damn. My identity is worth 2 minutes of my time.

Who can't recognize the skimmers? DRUNK PEOPLE! LOL Downtown, 3 AM, drunk as hell, they never see the skimmers. Scammers know who to screw for sure.

Also what siliconaddict said. The question these days is not if you are paranoid, but if you are paranoid ENOUGH.

EDIT: Why the minuses? Really? I live in Austin. TX and they have a massive issue with this down on 6th street. There are thousands of the little ATM machines all over the place. It is covered by bars. You all get the idea. Austin can't be the only city with this issue.

The ATM's at the bank my wife & I use all have green flashing LED's around the card slot. I would think it would be fairly difficult to put a skimmer over those. But even then I'm always paranoid enough to cover the keypad with my wallet in one hand while I punch in my PIN underneath with the other.

The ATM's at the bank my wife & I use all have green flashing LED's around the card slot. I would think it would be fairly difficult to put a skimmer over those. But even then I'm always paranoid enough to cover the keypad with my wallet in one hand while I punch in my PIN underneath with the other.

The ATM's at the bank my wife & I use all have green flashing LED's around the card slot. I would think it would be fairly difficult to put a skimmer over those. But even then I'm always paranoid enough to cover the keypad with my wallet in one hand while I punch in my PIN underneath with the other.

This helps, but I've seen examples of keypad overlays. Obviously doesn't work for touchscreen kaypads, but for physical keypads, such a device would read your PIN regardless of how you tried to obfuscate.

The green flashing LEDs don't help at all, btw. They just need a transparent/translucent part of the skimmer. Google "ATM skimmer" to see examples.

IMHO, skimmers are a great example of misplaced energy. They are not trivial to design/manufacture. Probably the guys doing it could make a pretty good living doing something legitimate with those skills.

I tend to only use the ATM at my work (I use the company Credit Union as my bank). I'm reasonably comfortable that these scammers would have a difficult time getting past our front door security. Also I know what our machines look like, so if they change I should hopefully be able to spot the difference.

Also, this avoids the ATM fee that most third party ATMs charge nowadays.

That said, this big multinational outfit managed to skim only 6,100 cards in three major cities over the course of god knows how long? NYC alone has a population of over 8 million. This sounds like one of those things that can happen to you, but don't get overly paranoid about it because it probably wont.

From what I understand, Chip and Pin turns out to not offer much security at all, and the only reason it took off in Europe is because the banks got liability protections from the government if they implemented it. The same protections were not offered by the US government and the technology has gone nowhere here.

The ATM's at the bank my wife & I use all have green flashing LED's around the card slot. I would think it would be fairly difficult to put a skimmer over those. But even then I'm always paranoid enough to cover the keypad with my wallet in one hand while I punch in my PIN underneath with the other.

The ATM's at the bank my wife & I use all have green flashing LED's around the card slot. I would think it would be fairly difficult to put a skimmer over those. But even then I'm always paranoid enough to cover the keypad with my wallet in one hand while I punch in my PIN underneath with the other.

This helps, but I've seen examples of keypad overlays. Obviously doesn't work for touchscreen kaypads, but for physical keypads, such a device would read your PIN regardless of how you tried to obfuscate.

The green flashing LEDs don't help at all, btw. They just need a transparent/translucent part of the skimmer. Google "ATM skimmer" to see examples.

IMHO, skimmers are a great example of misplaced energy. They are not trivial to design/manufacture. Probably the guys doing it could make a pretty good living doing something legitimate with those skills.

The guys selling the skimmers are selling $5 of plastic and electronics for $1000+

Reading all these articles about ATM skimmers highlights how well designed the security of the ATM system is, if the easiest way to attack it is physical and not technological, by skimming cards and taking photos of PINs.

In Canada, they've implemented chip-and-pin solutions pretty well across the board. Should put an end to this.

Click on the links provided. Chip and pin is implemented in Europe, but skimmers and fraud are still rampant.

Yep, so I followed the links. From what I'm reading, it sounds like you're right that chip-and-pin does not completely solve the problem, but it reduces it considerably, since it significantly raises the bar on how easy this is to do. The main problem with Chip-and-pin is that people want to be able to use their cards in countries where it is *not* widespread. (I'm looking at you, United States) so payments from non-Chip and Pin terminals are still accepted.

Needless to say, U.S. based financial institutions do not require chip-and-PIN, and that may be a contributor to the high fraud rates in the United States. The U.S. Secret Service estimates that annual losses from ATM fraud totaled about $1 billion in 2008, or about $350,000 each day.

Thanks for the story. I almost forgot that I'm out of town next week. Every time I head out of town I forget to call up the bank and they lock my checking account when I buy ANYTHING outside the state.

Who can't recognize the skimmers? DRUNK PEOPLE! LOL Downtown, 3 AM, drunk as hell, they never see the skimmers. Scammers know who to screw for sure.

If you click the links at the end of the article, you can see that the skimmers can be imperceptible, I think that's why you've been downvoted, it's not just drunks getting fooled, it's pretty much anyone.

The ATM's at the bank my wife & I use all have green flashing LED's around the card slot. I would think it would be fairly difficult to put a skimmer over those. But even then I'm always paranoid enough to cover the keypad with my wallet in one hand while I punch in my PIN underneath with the other.

This helps, but I've seen examples of keypad overlays. Obviously doesn't work for touchscreen kaypads, but for physical keypads, such a device would read your PIN regardless of how you tried to obfuscate.

The green flashing LEDs don't help at all, btw. They just need a transparent/translucent part of the skimmer. Google "ATM skimmer" to see examples.

IMHO, skimmers are a great example of misplaced energy. They are not trivial to design/manufacture. Probably the guys doing it could make a pretty good living doing something legitimate with those skills.

I like the idea of transparent ATMs. It would be cool to see money being printed or shredded and to see my data travelling through the series of tubes

Recently my wife and I had two different cards compromised on the same day. Working it back, we figured out we had stopped at the same NJ turnpike rest stop and filled up the gas tank on two cars one behind the other. Was either a skimmer on the gas pump reader or a gas attendant with a handheld skimmer (yet another reason I hate mandatory full service in NJ).

IMHO, skimmers are a great example of misplaced energy. They are not trivial to design/manufacture. Probably the guys doing it could make a pretty good living doing something legitimate with those skills.

not necessarily. there are plenty of people who dont get jobs because they are 'overqualified' or too old or didnt pass a background check or they dont have immigration documents or the bosses cousin's sister's boyfriend needed a job or this or the other. criminal gangs can also leverage anything that renders someone on the margin of society to exploit them and then force them to do these things.

then you throw in globalization. in the US unemployment is at a historic high if it is at like 10%. in spain and a lot of other countries for young people the unemployment rate is currently like 50%. a young electrical engineer grad might have to choose between his family starving to death vs making an ATM skimmer for some criminal gang. this person will logically "choose life". and since the Magstripe Card Systems are relatively uniform across countries, what might seem 'unprofitable and illogical' in the US might seem wholly logical from a risk-reward perspective to manufacture in another country.

Then the international criminal gangs can simply export that technology and/or know how from one place to another. I think an international financier would call this "unemployed engineer arbitrage" and its probably alot like what goes on in the illicit trade of weapons, uranium, certain drugs, etc.

Who can't recognize the skimmers? DRUNK PEOPLE! LOL Downtown, 3 AM, drunk as hell, they never see the skimmers. Scammers know who to screw for sure.

Also what siliconaddict said. The question these days is not if you are paranoid, but if you are paranoid ENOUGH.

EDIT: Why the minuses? Really? I live in Austin. TX and they have a massive issue with this down on 6th street. There are thousands of the little ATM machines all over the place. It is covered by bars. You all get the idea. Austin can't be the only city with this issue.

See here for images of various skimming devices. You don't have to be drunk to miss that you're using an ATM that has a skimmer installed. Many of these devices are designed around various ATM's and not necessarily the kiosk-type of ATM's you see in convenience stores.

When my credit card was compromised, it was from a skimmer they had installed at an ATM that was in the lobby of an airport bank branch. You're foolish if you think they only target cheap corner store ATM's.

Chip + PIN does work very well indeed, as long as you implement dynamic authentication, which apparently not all of Europe has done (mostly due to having to roll out their implementation very quickly indeed). In Canada, ATM fraud gangs have for the most part dissolved or moved south of the border.

Crime tends to roll downhill and ATM gangs are often very international. You can expect more and more gangs involved in this to migrate to the US. Previously, the US was protected by Canada (why commit crime in a country where they'll pretty much throw away the key if you're caught when you can perform the same crime in Canada), but now that Canada has moved to Chip + PIN, it's time for international gangs to move to a new crime, dissolve, or migrate South.

And by the way, they've apparently got scanners that actually fit inside the card slot. Good luck spotting those... (Not to mention an employee simply replacing his card scanner in a store with one that captures data.

(And yes, you can scan the MagStripe off a C+P card. You just can't use the MagStripe in any country that has gone C+P. Canadian cards can get skimmed and then have withdrawals made in the US. I expect if it gets bad, Canadian banks will disable cards that are used in the US unless the owner explicitly notifies the bank of his travel.

In Canada, they've implemented chip-and-pin solutions pretty well across the board. Should put an end to this.

Which nincompoops are down-voting all comments in favour of solving this with chip-and-pin? Card skimming is almost trivial with magnetic strips, but significantly more challenging with chip-and-pin. You can't duplicate a cryptographic chip merely by swiping some electrodes across the contacts for a few milliseconds! Check this out:UK Bank Card Fraud Reduction (fraud 23% down) Attributed to Chip-and-PIN CardsWhen I next travel to the USA, if you're still using cards with magnetic strips over there, then I'm not going to be using cards: I'll use cash or paper-based Travellers' Checks instead. You Americans might have jumped a generation of technology by going directly from stone-age magnetic strips to space-age NFC (which isn't significantly deployed yet, and who knows when it will be); but missing out on chip-and-pin hasn't done you any good. OK, so we still have card fraud in Europe; but that's almost all "card not present" fraud now, and there's a reason for that: it's because chip-and-pin has made card-present fraud much harder to conduct, and most criminals took the path of least resistance. Chip-and-pin is a step in the right direction. In Europe, it's now time to solve card-not-present fraud...

In Canada, they've implemented chip-and-pin solutions pretty well across the board. Should put an end to this.

See Europe on that. Short answer: Nope.

But we do have a solution in Europe -- it is called anti-skimming device and it gets installed in the ATM. Also, ATMs here have cameras and everyone getting money from them has their face and hands recorded during transaction.

Seriously, USA has the worst possible credit card security in the world, right next to Malaysia, the other common place where all those skimmed cards end up being used. Being in this business I cringe every time I have to use my card when I am visiting USA.

@matthewslyman:Yes you can clone chip and pin card by cloning its magnetic stripe -- card is designed such that it can be used as magnetic in case of chip failure (hint: emv fallback), not to mention that you can also use it online if you write down PAN, CVV and expiry date.

In Canada, they've implemented chip-and-pin solutions pretty well across the board. Should put an end to this.

My chip cards still have magnetic strips and the strips still work.

I don't get why other countries haven't adopted the chip cards with open arms. It really a one or nothing approach. If everyone doesn't ditch the magnetic stripe then everyone will still have one. As far as I know the chip hasn't been cracked and the technology has been around since the 80s. At least, we need to force ABMs to rely on the chip rather than the magnetic stripe here in Canada. Merchants have been mandated to change by 2014 (I believe since it keeps getting pushed back). The original date was sometime in 2011.

I work at a major financial institution and the number of card skimming incidents has drastically been reduced by the chip card but if the US doesn't change then you'll still see this happening. The sheer cost involved in fraud investigations would be worth the change, never mind the actual losses. Here's to the future of NFC and alternative payments.

In Canada, they've implemented chip-and-pin solutions pretty well across the board. Should put an end to this.

Which nincompoops are down-voting all comments in favour of solving this with chip-and-pin? Card skimming is almost trivial with magnetic strips, but significantly more challenging with chip-and-pin. You can't duplicate a cryptographic chip merely by swiping some electrodes across the contacts for a few milliseconds! Check this out:UK Bank Card Fraud Reduction (fraud 23% down) Attributed to Chip-and-PIN CardsWhen I next travel to the USA, if you're still using cards with magnetic strips over there, then I'm not going to be using cards: I'll use cash or paper-based Travellers' Checks instead. You Americans might have jumped a generation of technology by going directly from stone-age magnetic strips to space-age NFC (which isn't significantly deployed yet, and who knows when it will be); but missing out on chip-and-pin hasn't done you any good. OK, so we still have card fraud in Europe; but that's almost all "card not present" fraud now, and there's a reason for that: it's because chip-and-pin has made card-present fraud much harder to conduct, and most criminals took the path of least resistance. Chip-and-pin is a step in the right direction. In Europe, it's now time to solve card-not-present fraud...

The situation will actually become much, much more worse in the future.All Visa, MasterCard and AmEx cards issued in 2013 will support NFC contactless payments. The "cool" thing about NFC is that one can read their data in plain text with any NFC enabled reader. From a distance. As in ~1m active unidirectional, or 10m passive sniffing. The data one can read in plain text are:

One can use this data to manufacture a perfectly working mag-stripe credit card. Using the EMV fallback option for a non-working chip one can even get a fully authorised "pin-verified" transaction reciept. Alternatively, one can simply brute-force the CVV2 for online purchases, it is only 100 combinations anyway.

Even better, though, NFC enabled credit cards can actually be tricked into accepting contactless payments of up to ~25€/$ via relaying. All one needs is a backpack sized antenna and a NFC capable smart phone, and of course an unsuspecting victim within ~1m radius of the backpack. The location of backpack and person intiating the payment via smart phone can by the way be bridged via the internet...

I don't get why other countries haven't adopted the chip cards with open arms. It really a one or nothing approach. If everyone doesn't ditch the magnetic stripe then everyone will still have one. As far as I know the chip hasn't been cracked and the technology has been around since the 80s. At least, we need to force ABMs to rely on the chip rather than the magnetic stripe here in Canada. Merchants have been mandated to change by 2014 (I believe since it keeps getting pushed back). The original date was sometime in 2011.

I work at a major financial institution and the number of card skimming incidents has drastically been reduced by the chip card but if the US doesn't change then you'll still see this happening. The sheer cost involved in fraud investigations would be worth the change, never mind the actual losses. Here's to the future of NFC and alternative payments.

Chip and Pin can still be tricked to accept arbitrary pin entries by EMV compliant fall-back options. This has been demonstrated in the past and it even works with a live online connection to the payment processor. You basically trick the the POS terminal that the only supported payment option of the credit card is chip + signature.

For now, though, skimming is still too easy and lucrative for fraudsters to start to use more sophisticated methods. Cloning and programming chip enabled cards to process successfully is a bit more involved...

I don't get why other countries haven't adopted the chip cards with open arms. It really a one or nothing approach. If everyone doesn't ditch the magnetic stripe then everyone will still have one. As far as I know the chip hasn't been cracked and the technology has been around since the 80s. At least, we need to force ABMs to rely on the chip rather than the magnetic stripe here in Canada. Merchants have been mandated to change by 2014 (I believe since it keeps getting pushed back). The original date was sometime in 2011.

I work at a major financial institution and the number of card skimming incidents has drastically been reduced by the chip card but if the US doesn't change then you'll still see this happening. The sheer cost involved in fraud investigations would be worth the change, never mind the actual losses. Here's to the future of NFC and alternative payments.

Chip and Pin can still be tricked to accept arbitrary pin entries by EMV compliant fall-back options. This has been demonstrated in the past and it even works with a live online connection to the payment processor. You basically trick the the POS terminal that the only supported payment option of the credit card is chip + signature.

For now, though, skimming is still too easy and lucrative for fraudsters to start to use more sophisticated methods. Cloning and programming chip enabled cards to process successfully is a bit more involved...

Getting your pin number wrong a certain number of times will also allow the card to fallback to signature authorization (I'm not going to share the number but I'm sure it's easy enough to look up). I'm not denying that the whole system needs to be reworked but doing nothing and waiting for things to change doesn't seem smart.

Getting your pin number wrong a certain number of times will also allow the card to fallback to signature authorization (I'm not going to share the number but I'm sure it's easy enough to look up). I'm not denying that the whole system needs to be reworked but doing nothing and waiting for things to change doesn't seem smart.

Yeah, the EMV standard is currently full of holes like swiss cheese, although most of those are due to mandatory fall-back to mag-stripe, though. So everybody is suffering for the stupidness of the USA. As long as these holes are present, why bother hacking the chip and pin system? I am absolutely sure, that cryptographers let loose on that system will near instantly defeat its security. I mean, come one, the system doesn't even do proper public key encryption.

For me, though, the really amazing thing is that given how trivially easy it is to perform fraud with the current payment system, current fraud rates are still amazingly low. If anything, one should actually encourage skimmers and their like to force banks to actually take their legal responsibility for the money of their clients more seriously.

Chip and Pin can still be tricked to accept arbitrary pin entries by EMV compliant fall-back options. This has been demonstrated in the past and it even works with a live online connection to the payment processor. You basically trick the the POS terminal that the only supported payment option of the credit card is chip + signature.

Isn't the problem not the PIN (which a camera can snag), but reproducing the Chip? I haven't heard about any viable method of duplicating the chip on a card (except with static authentication).

Anyway, the US banks aren't completely stupid. They're faced with a very decentralized system, so it's not like Canada where one organization (Interac) can basically force every card issuer in Canada to conform. As well, the cards, the software, and the machine upgrades are expensive.

Instead, the American banks are using fraud detection software that is getting better and better. We'll see whether it's good enough that the criminals give up and move onto a different line of work.

Yeah, the EMV standard is currently full of holes like swiss cheese, although most of those are due to mandatory fall-back to mag-stripe, though.

Again, Canada is lucky. There's only one network (which everybody is on) and it mandated that all POS & ATM be EMV capable and mandatory decline in the event of fallback. Problem solved. (Except for skimming cards in Canada and then taking the money out in the US/Overseas. I expect a lot of declines on withdrawals if you forget to tell your bank you're traveling outside of Canada if the fraudsters decide it's worth the bother of skimming Canadian cards.